HDPA (Greece) - 10/2024
| HDPA - 10/2024 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 2,955,140 EUR |
| Parties: | Hellenic Post |
| National Case Number/Name: | 10/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Iliana Papantoni |
The HDPA imposed a fine of € 2,995,140 on the Hellenic Post for violation of Articles 5 (f) and 32 GDPR, following its personal data breach notifications.
English Summary
Facts
On 23 March 2022, the Hellenic Taxydromia Anonymous Ltd (controller) notified a personal data breach to the Hellenic DPA (HDPA) as a result of a cyberattack. The breached data included access to workstations and files of employees, passwords of network domain management accounts and miscellaneous folders, and was subsequently published on the Dark Web. In addition, the attackers installed malicious processes on the controller's system.
On 19 May 2022, the HDPA requested a description of the actions taken by the controller in addressing the data breach as well as the actions taken in relation to the notification of data subjects concerned or any third party. The controller responded by providing a cybersecurity incident report. It stated that it informed the public about the personal data breach and the actions taken in response. The controller also announced the incident internally, informed bodies affected by the incident (the International Post Corporation, PostEurop, and Universal Postal Union), and informed relevant national authorities. The controller also shared its policies concerning its system, data security, and privacy by design an default.
On 27 July 2022, the controller notified the HDPA of a subsequent infringement incident, wherein the leaked of personal data was published on the dark web, as a consequence of the data breach. In response to a request for additional information from the HDPA, the controller shared with the HDPA the following documents further information concerning the dark web's publication of the data and a detailed analysis of the files posted on the website, including files and subfolder names and categories, categories of data subjects, types of personal data and description.
On 29 November 2022, the HDPA invited the controller to a hearing held on 6 June 2023. The controller explain that the cyberattack at 1:30 A.M. and was detected at 6:30 A.M. It received no alerts from the Windows Management Instrumentation Command tool due to a network connection failure. Following confirmation of the threat, the system was taken offline and a process of investigation, logging, categorisation, classification and notification of the parties involved was initiated. The controller immediately informed corporate customers of the incident. Though some systems were encrypted and could not be recovered, the vast majority of systems were recovered. The controller argued that, at the time of the cyberattack, it was facing financial difficulties. It submitted balance sheets to the HDPA, which indicated financial losses in 2020, 2021 and 2022.
Following the breach, the controller made significant resources available to shield the security of the system. The controller also stated that in order to better manage breach incident, it had launched staff training programs.
Holding
The HDPA found that ELTA: i) had not implemented appropriate technical and organisational measures; ii) had not implemented appropriate data protection policies; iii) had not ensured confidentiality, availability and resilience of processing systems and services and the integrity of processes for regularly testing.
In order to calculate the fine, the HDPA took into consideration the following: i) the number of data subjects affected; ii) the level of damage; iii) the fact that took place a breach of controller's system, unauthorised access to resources, installation of malicious software and disclosure of data to the dark web; iv) the fact that there was a failure to implement the security policy, failure to ensure access to data by authorised users, insufficient technical documentation on the issues of the collection of domain passwords and underutilization of unusual warning messages activity by the protection mechanisms; v) the categories of personal data affected (personal data of particular significance, e.g., financial data, employees’ data, etc.); the fact that historical application data was not recovered and no measures were taken to limit the uploading of data on the dark web.
The HDPA took into account the following mitigating factors: i) following the incidents, the system security was strengthened; ii) there was no leakage of special categories of personal data; iii) there has been a restoration of a significant part of the data volume from backups and restoration of service availability; iv) the controller has submitted an additional notification of the incident which included detailed information about the leakage of personal data to the dark web; v) the controller has submitted an additional notification of an incident which includes detailed information about the leakage data leakage to the dark web.
Following the abovementioned, the HDPA imposed a fine of 3,995,140 € to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
